29241 – netcdf new security issues CVE-2019-2000[5-7] CVE-2019-2019[89] CVE-2019-2020[0-2] CVE-2021-2622[0-2] CVE-2021-30485 CVE-2021-31229 CVE-2021-3134[78] CVE-2021-31598

Bug 29241 - netcdf new security issues CVE-2019-2000[5-7] CVE-2019-2019[89] CVE-2019-2020[0-2] CVE-2021-2622[0-2] CVE-2021-30485 CVE-2021-31229 CVE-2021-3134[78] CVE-2021-31598

Summary: netcdf new security issues CVE-2019-2000[5-7] CVE-2019-2019[89] CVE-2019-2020...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-07-09 17:56 CEST by David Walser
Modified:	2021-12-23 22:02 CET (History)
CC List:	8 users (show)

See Also:
Source RPM:	netcdf-4.7.4-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-07-09 17:56:50 CEST

Debian-LTS has issued an advisory on July 8:
https://www.debian.org/lts/security/2021/dla-2705

The issues are actually from a bundled library called ezXML which is also in netcdf, and there are more CVEs listed in this bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360

Mageia 8 is also affected.

David Walser 2021-07-09 17:57:00 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-07-09 21:17:37 CEST

This has no registered nor consistent maintainer, so assigning globally.
CC'ing pterjan & akien who have both done several recent updates to it.

Assignee: bugsquad => pkg-bugs
CC: (none) => pterjan, rverschelde

Comment 2 David Walser 2021-11-26 18:21:04 CET

openSUSE has issued an advisory for this on November 25:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DM4S3HXSBD3QQY6J6J2S4KVWTO63OS7U/

Comment 3 Nicolas Salguero 2021-12-06 11:54:25 CET

For Mageia8, netcdf-4.7.4-3.1.mga8, which includes the patches from openSUSE, should solve the problem.

For Cauldron, netcdf fails to build because of some tests.

CC: (none) => nicolas.salguero

Comment 4 David Walser 2021-12-06 16:05:32 CET

Looks like "nc_test" is the failure.

Mageia 8 packages:
libnetcdf18-4.7.4-3.1.mga8
libnetcdf-devel-4.7.4-3.1.mga8
netcdf-4.7.4-3.1.mga8

Status comment: (none) => Test suite failure in Cauldron

Comment 5 Nicolas Lécureuil 2021-12-18 15:37:41 CET

latest netcdf is on cauldron.

Assignee: pkg-bugs => qa-bugs
Status comment: Test suite failure in Cauldron => (none)
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 6 Herman Viaene 2021-12-20 14:44:01 CET

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No wiki, no previous updates, reading desription of netcdf in MCC:
"NetCDF (network Common Data Form) is an interface for array-oriented data access and a freely-distributed collection of software libraries for C, Fortran, C++, and perl that provides an implementation of the interface."
OK'ing this on clean install as we do for other evveloper's stuff.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2021-12-20 18:45:28 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-23 19:48:32 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2021-12-23 22:02:58 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0580.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.